About the Company
One of the largest utility service providers, servicing 4 million customers in over 300 urban, and rural communities, including NJ’s six largest cities. The company serves the population in an area consisting of a 2,600-square-mile , diagonal corridor across East Coast states in the United States.
The company has a wide range of network systems and applications hosted in AWS Cloud.
As customers grew, the networks and applications grew, and new environments increased with different technologies. Manual Penetration testing and code review required for AWS Hosted Services to meet the Security Compliances to avoid internet threats.
Considering this growing facility issues, the ability to serve its growing customer base, the company decided to move to an efficient security solution which would be faster, more secure, low downtime, and most importantly cost effective.
Kapstone proposed and implemented a completed security solution for Amazon Web Service (AWS) which would meet all the needs of the company.
To identify gaps in security Kapstone’s AWS Cloud Security Team created a Risk factor based action plan for identifying the gap of the system security to reduce the threat with the help of Black Box and Gray Box Penetration Test and Code Review.
Setup a strong business case to produce the security message at the implementation stage to discover new threats.
To find the weakest link in the intricate structure, security assessment focuses on resources like AWS Lambda, EC2, S3, API Gateway, KMS, AWS Secrets Manager and VPC to meet baseline security for all typical entities and Organization regulatory compliances.
To achieve security, the key controls assessed by Kapstone AWS Cloud Security Team:
- System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys.
- No sensitive data should be stored outside of the app container or system credential storage facilities.
- No sensitive data is written to application logs.
- The keyboard cache is disabled on text inputs that process sensitive data.
- No sensitive data is exposed via IPC mechanisms.
- No sensitive data, such as passwords or pins, is exposed through the user interface.
- The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.
- The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.
- Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.
- The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.
- The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected.
As a result, a very secure and highly available data lake solution was built to handle near to real-time data. Serverless services helped in order to reduce management overhead. The process of reporting was automated to reduce the work of business users. Implemented serverless and independent services architecture with robust and scalable solution to handle bulk load for new data.